Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Email Security

Microsoft Expands List of Blocked File Types in Outlook on the Web

Microsoft this week announced plans to add some new file extensions to the list of file types that are blocked in Outlook on the web.

When the change will be operated, it will immediately result in Outlook on the web users no longer being allowed to download attachments that have those file extensions, the tech giant explains.

Microsoft this week announced plans to add some new file extensions to the list of file types that are blocked in Outlook on the web.

When the change will be operated, it will immediately result in Outlook on the web users no longer being allowed to download attachments that have those file extensions, the tech giant explains.

The newly blocked file types, Microsoft claims, are rarely used, which means that the modification will have no impact on most organizations.

File types affected by the change include ones used by programing languages: “.py”, “.pyc”, “.pyo”, “.pyw”, “.pyz”, “.pyzw” (all used by Python); “.ps1”, “.ps1xml”, “.ps2”, “.ps2xml”, “.psc1”, “.psc2”, “.psd1”, “.psdm1”, “.psd1”, “.psdm1”, “.cdxml” and “.pssc” (all used by PowerShell); and “.jar” and “.jnlp” (both used by Java).

Moreover, the tech giant will block “.appref-ms” (used by Windows ClickOnce), “.udl” (Microsoft Data Access Components (MDAC)), “.wsb” (Windows sandbox), and “.cer”, “.crt” and “.der” (used by digital certificates).

Microsoft also decided to block “.appcontent-ms”, “.settingcontent-ms”, “.cnt”, “.hpj”, “.website”, “.webpnp”, “.mcf”, “.printerexport”, “.pl”, “.theme”, “.vbp”, “.xbap”, “.xll”, “.xnk”, “.msu”, “.diagcab” and “.grp”. These are used by various applications and, while associated flaws have been patched, some organizations might still use older versions of the software.

Provided that users do complain about their inability to download those file types and that the organization wants to allow for the use of a particular file type, admins will have the option to add specific extensions to the AllowedFileTypes property of users’ OwaMailboxPolicy objects.

“If your organization requires that users be able to download attachment of these types from OWA, you should first ensure that our organization’s operating systems and application software are up-to-date (in the case files that are opened by application software) or ensure that your users are familiar with the risks associated with the file types (in the case of files that are interpreted by scripting software),” Microsoft explains.

The company also explains that if a file extension is already present in the AllowedFileTypes list, it won’t be added to a policy’s BlockedFileTypes list.

“Security of our customer’s data is our utmost priority, and we hope our customers will understand and appreciate this change. Change can be disruptive, so we hope the information here explains what we’re doing and why,” Microsoft says.

Related: U.S. Cyber Command Warns of Outlook Flaw Exploited by Iranian Hackers

Related: Turla Backdoor Controlled via Email Attachments

Related: Microsoft Patches Over 90 Vulnerabilities With August 2019 Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.